AUSTIN, TEXAS - Amid growing concern about security in hospital patient-care systems, the federal agency that regulates medical devices last week announced a get-tough policy to improve equipment safety.

Medical devices such as ultrasound and radiology systems often rely on commercial off-the-shelf software, including Windows and Unix, that requires continuous patching for security. But increasingly, hospital IT administrators are voicing complaints that manufacturers are failing to patch Windows-based equipment quickly or at all, which then fall prey to computer worms. This not only disrupts hospital operations but poses a potential safety hazard to patients.

Hospitals are calling on the U.S. Food and Drug Administration (FDA) to put pressure on manufacturers, which by law must authorize the patch after testing it to see if it might have a negative impact on the medical application.

In turn, manufacturers have put the blame on hospitals, saying they have to do a better job with security, such as including internal firewalls and intrusion-prevention systems.

Last week, FDA Deputy Director Brian Fitzgerald outlined three initiatives to improve a deteriorating security situation.

Speaking at the annual IT Conference organized by the Department of Veterans Affairs (VA), he said the agency won't tolerate medical-device manufacturers failing to keep equipment up to date with security patches.

As a penalty, Fitzgerald said, the FDA will withhold regulatory approval on equipment submitted by manufacturers deemed to have a bad track record on patching. "They won't be able to have certification for new devices," he said.

This get-tough approach, which will go out in a guidance letter, represents a sharpening in enforcement of FDA regulations Section 510(k) and 518. Those rules give the FDA power to set baselines for safety and security.

The FDA also has planned two new efforts to improve security of medical equipment. Guidelines to be issued in the next six months will detail how the FDA expects device manufacturers to be building and testing "networkable, networthy medical devices," Fitzgerald said.

Largely inspired by the Air Force medical-device evaluation program launched last fall that's intended to keep unpatched medical equipment off Air Force networks, the FDA technical guide will be aimed at helping manufacturers achieve "technical excellence," Fitzgerald said.

The Air Force requires device manufacturers to test Windows, Unix, Oracle and other applications, and adhere to a regimen of responding to patching requirements based on security bulletins.

The third FDA regulatory effort will involve the FDA setting up forensics capability to examine devices infected by computer worms or other malware and track down the culprits. In addition, the FDA will create an investigative arm.

This idea evoked skepticism.

"Why would the FDA want to create their own G-men when there are already a bunch of experts at the FBI at work?" asked Steve Wexler, biomedical engineer at the VA who helped the VA's network staff design security for medical equipment at VA hospitals. "If someone wants to poison a medical device, that's a criminal act the FBI should be involved in."

Wexler is gung-ho on the FDA's other ideas.